----- Original Message ----- From: "Gary McKinney" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 01, 2004 10:12 PM Subject: Re: Alan
> Hi Alan, > > Basically: > > When you have a client machine that is connecting to a NAS using EAP/TLS > and variations thereof the encrypted path is ONLY between the client machine > and the NAS (be it wired or wireless). > > The Radius server provides the inital encryption path between the client > machine > and the radius server only during the authentication/authorization phase of > the > connection process. The radius server uses the TLS side of the connection > for > the authorization transactions once the TLS tunnel is established and > creditials > have been verified (by virtue of the security certificates both the radius > server > and client machine have installed) ... > with TTLS only the radius server has a certificate and the encryption phase > is > handled by a certificate generated on the radius server to that specific > session - > once validated the NAS and the client machine receive an encryption key to > use > during the connection session (and the key is renewed with a new key for the > NAS and client machine every so often - 300 seconds I think is the default > setting in FreeRadius's configuration file).... > > If you need encryption from the client machine to a distant > server/workstation > the you will need to implement some additional encryption mechanism between > those end-points as the PEAP/TLS session is ONLY between the NAS and > client machine connecting to the NAS... > > I hope this helps.... > > Gary N. McKinney > Gary, Thanks for the help. With my PEAP/TLS implementation (which appears to be working) my client machine, which is running win XP sp1, asks me for credientials eg. username/password, and if the user exists in the users file then I will be authenticated. However, I never installed the openssl generated certificate on the client side. In my eap.conf file: eap { default_eap_type = peap etc...... } all tls info is correct, and peap { default_eap_type=mschapv2 } Is the client side cert. automatically accepted? Also, I have wep key is provided for me checked on my XP machine and everything still functions fine. Is the freeradius server providing a wep key to the client machine? Thanks, Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html